As IPv4 disappears, transition poses hazards
- — 01 February, 2011 04:26
With the last IPv4 addresses about to be allocated, the good news is that IT managers -- at least in the U.S. and Europe -- don't suddenly have to get the next Internet Protocol working.
The bad news is that there are some hazards both in putting off adoption of IPv6 and in implementing it, according to vendors and industry analysts.
If the Asia-Pacific Network Information Center is granted two more large blocks of IP addresses, which it is entitled to because its addresses are being snatched up so fast, then a rule will kick in that forces the Internet Assigned Numbers Authority (IANA) to divide the remaining five blocks of IPv4 addresses among the world's five regional registries. Once the regional bodies run out of those addresses, they will have nowhere to turn for new ones.
IPv6, introduced in the late 1990s, offers an almost unlimited number of addresses, compared with approximately 4.3 billion addresses for IPv4. While many devices use privately held addresses that are reused on the same LAN, unique IP addresses are usually needed for servers and other types of endpoints. Particularly in fast-growing parts of the world, such as India and China, those unique addresses are being consumed quickly. The two versions aren't compatible, so, for example, client systems that only have an IPv6 address can't get to content on servers that only have IPv4 addresses.
Yet despite the dire state of IPv4, the use of IPv6 is still minuscule, according to Arbor Networks, which supplies network monitoring equipment to about three-quarters of all large Internet service providers (ISPs).
The results of Arbor's last survey of the Internet, about five months ago, show only a fraction of one-tenth of 1 percent of all traffic used IPv6, "almost below the threshold of what we could measure," Arbor Chief Scientist Craig Labovitz said.
Part of the reason is that migrating to IPv6 costs money and in most cases offers no economic benefit, observers said. However, it will take cooperation from everyone to prevent the first IPv6-only Internet users being cut off from most of the world's Internet hosts, said Jason Schiller, a senior Internet network engineer at Verizon Business. He fears some user, somewhere, may be in that predicament in the next six to 12 months if nothing is done.
That's not likely to happen to enterprises in North America or Europe, analyst Glen Hunt of Current Analysis believes. For one thing, major U.S. service providers will have IPv4 addresses to give out to their customers for some time, he said. Also, through large-scale NAT (network address translation), the carriers could also act as bridges between the IPv4 world and users who can only get IPv6, according to Hunt. With NAT, users can share a single, unique IPv4 address that is exposed to the outside Internet.
However, Hunt and other experts warned that centralized, large-scale NAT has many dangers. The systems that perform the translation could become bottlenecks if asked to process too many requests. Having so many users share a single IPv4 address might also cause errors and security problems. For example, if a host suffers a DOS (denial-of-service) attack from behind the NAT device, it might associate the attack with the shared IPv4 address and respond in a way that affects all the users sharing the address, according to Verizon's Schiller. That could even involve those users getting blocked for a few minutes.
Large-scale NAT could also make troubleshooting harder for the service provider and interfere with application acceleration or even targeted advertising, if an advertiser tried to build a profile based on a shared IP address.
"If the guy next to you is into hunting and fishing, and you're not, you might start seeing ads for hunting and fishing," Schiller said.
For those reasons, Verizon hopes to avoid deploying NAT for this purpose on its own network. Instead, it recommends users set up NAT on their own premises.
Even organizations that do the right thing and deploy IPv6 may run into challenges to securing their networks, because most security systems today are built around the properties of IPv4, security experts said.
For example, there are so many addresses in IPv6 that the typical supply handed out to one organization is too large to scan for threats on the internal network.
"The networks are so large that to scan a typical net block would take 5 billion years," said Misha Govshteyn, vice president of technology and service provider solutions at security vendor Alert Logic. Scanning a typical IPv4 address range takes no more than a few minutes. Govshteyn added that his company is developing a new type of vulnerability assessment that will work with IPv6 networks.
This problem isn't as bad as it might seem, because there are other methods of finding potential threats, according to Danny McPherson, vice president of network security research at VeriSign Labs. A security tool can watch activity on the network or the allocation of devices through a method such as DHCP (Dynamic Host Configuration Protocol). Not being able to scan all the IP addresses in a network does prevent discovery of passive listening devices, but those devices might resist identification anyway, he added.
However, there will be headaches for companies upgrading to IPv6, McPherson said. Security products for IPv6 typically are more expensive than their IPv4 counterparts because the economies of scale haven't driven down costs yet, he said.
Partly as a result of these challenges, IPv4 will be with us for a long time, McPherson and others warned. Many systems that don't get replaced often, such as industrial SCADA platforms, could remain in place using old IPv4 addresses for years, McPherson said. IPv4 will probably remain for decades.
To deal with this, Verizon's advice to enterprises is to set up dual protocol stacks, allowing users both inside and outside to keep accessing Internet resources regardless of what kind of address they have been assigned. Verizon Business offers professional services to help businesses plan and carry out a transition.
Because carriers have IPv6-capable gear ready in their networks, enterprises in the U.S. don't need to rush into an upgrade, said Hunt at Current Analysis.
"If you have communication devices that are going to be in your network for the next three to five years, you're probably not going to change them just so you can go to IPv6," Hunt said. "But when you upgrade that server or that data center interconnect ... then is probably the time." He thinks the momentum toward IPv6 will pick up in the next two to three years and there will be significant progress within five to seven years.
Arbor's Labovitz was not so sanguine.
"Enterprises that want to expand their data centers, expand their networks will begin to encounter shortages of IPv4 address space. Or it may be more expensive," Labovitz said.
A moment of truth for IPv6 will be June 8, when the Internet Society conducts a test in which Google, Yahoo, Facebook and other major Web entities turn on IPv6 on their home pages for a day. A large-scale test is needed to identify problems with running IPv6, said Leslie Daigle, chief Internet technology officer at the Internet Society.
"I think there is a real possibility that a significant number of users will have to adjust their configurations" to access IPv6-enabled sites, Daigle said.
As long as they plan well, enterprises should be able to migrate without major challenges, but everyone should expect change over the next few years, Daigle said.
"We can expect the landscape of the Internet to be a little turbulent over the coming while."